漏洞平台

POC详情： e54c3fbed3ba9164c6d3cb138b65533083e14086

来源

https://github.com/irissentinel/CVE-2021-36934

关联漏洞

标题： Microsoft Windows 访问控制错误漏洞 (CVE-2021-36934)
描述：Microsoft Windows是美国微软（Microsoft）公司的一种桌面操作系统。 Microsoft Windows 存在访问控制错误漏洞，该漏洞源于系统对多个系统文件的访问控制列表过于宽松，因此存在特权提升漏洞。成功利用此漏洞的攻击者可以使用SYSTEM权限运行任意代码。

描述

CVE-2021-36934 HiveNightmare vulnerability checker and workaround

介绍

# CVE-2021-36934
CVE-2021-36934 HiveNightmare vulnerability checker and workaround

### Flow

The script has the following flow:

- Requires it to run with Administrator privileges
- Check Windows 10 version is affected by the vulnerability.
  - IF affected by vulnerability:
    - Show Windows version may be affected by the vulnerability message
    - Check if the hive system files permissions are accessible by BUILTIN\Users
      - IF it is vulnerable:
        - Apply the workaround proposed by Microsoft https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934
        - Check for Shadow Volume Copies
          - IF it exist:
            - Show the message: There are vulnerable shadow copies on the system
            - Delete existing shadow volume copies and show the message: Shadow copies have been removed
            - A new restore point is created with the name "Restorepoint for CVE-2021-36934 HiveNightmare" and show the message: A new restore point has been created
          - If it does NOT exist:
            - Show the message: No shadow copies found
            - Show the message: System is not vulnerable
      - If NOT vulnerable:
        - Show the message: No vulnerable hive system files found
        - Show the message: System is not vulnerable
  - If NOT affected by vulnerability:
    - Show the message: Operating System is not vulnerable

### Considerations

- Once the script to fix the vulnerability has been run, it can be run again to see if it has been fixed.
- Workaround will apply only to affected systems.
- The script works correctly with any language setting
- Some EDR systems may detect this script as suspicious behavior and stop its execution, due to the shadow volume being deleted. It is recommended to add as an exception.

### Outputs

If it is vulnerable and it has been fixed, we will get the following result: 

![HiveNightmare System is vulnerable](https://i.imgur.com/N3HQSKG.png)


If it is not vulnerable, we will get the following result:
![HiveNightmare System is not vulnerable](https://i.imgur.com/IrRwyzQ.png)

文件快照


 [4.0K]  /data/pocs/e54c3fbed3ba9164c6d3cb138b65533083e14086
├── [3.5K]  hivenightmare.ps1
├── [ 34K]  LICENSE
└── [2.0K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。